Workstations (Desktops & Laptops)

Level 1:
Public Data

Systems must be managed by a qualified IT professional in accordance with the Workstation Management Standard.

Operating system and applications updates must be applied as soon as they are available.

Workstations must not be configured as servers.

Administrator passwords must meet the Password Standard.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

Must have logging enabled according to the University standard.

Level 4: Highly
Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

Workstations that hold DCL4 data must be encrypted. University-issued workstations must be encrypted using software/services authorized or provided by the central IT department.

Levels 1-3:

Central IT departments and system administrators must ensure adherence to the Network Security Standard.

Automatic joining to unknown or untrusted networks should be turned off.

Device should not be used as a hotspot/access point for other devices.

University business must not be conducted on public/unsecured wireless networks (e.g., coffee shop WiFi networks) except through the use of VPN or other secure remote access services as provided or authorized by your campus IT department.

Level 4: Highly
Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

Automatic joining to unknown or untrusted networks must be turned off.

Device must not be used as a hotspot/access point for other devices.

Levels 1-4:

Computer screens must be locked when unattended.

Automatic screensaver lock must not exceed 20 minutes.

Desktop computers must be reasonably secure when unattended. Computers stationed in public areas, such as kiosks, must be physically attached to a wall or work surface to deter theft. Laptops must be physically secured when unattended.

Strong consideration should be given to the use of system tracking software (i.e., Computrace) for users who travel with their computer.

Report lost or stolen computers/computing devices that are used for work purposes, regardless of ownership, to the appropriate ISO per the Mandatory Reporting Requirement.

Additional recommendations are located at www.umsystem.edu/ums/is/infosec/standards-travel.

Levels 1-4:

All original and current versions of information/data must be stored or backed up on University-owned or approved systems (servers). Data stewards are responsible for taking appropriate measures to ensure that data is available and secure.

Levels 1-4:

All computing devices that are surplused or otherwise disposed of must follow University surplus property and data disposal policies.

Levels 1-4:

Publicly-accessible computers and kiosk-type computers must be configured to clear Internet cache.

Computers stationed in public areas must be physically attached to a wall or work surface to deter theft.

University information/data must not be stored on a computer that could potentially be used by the public.

Levels 1-3:

Personally-owned computers used for University business must be managed according to the same standards as a University-issued device. University business information/data must not be stored on a personally-owned computer, except under certain circumstances when access to the Internet, and thus, access to central storage locations, is unavailable. In these circumstances, keeping University-related electronic materials on a personally-owned computer should be temporary. Consult your IT support staff for information about how to store University information/data when using a personally-owned computer.

Level 4:

University business information/data must not be stored on personally-owned devices.

Levels 1-4:

Review and follow the Information Security Travel Standard when traveling with a laptop or other mobile computing device.